fix: Vulnerabilities and warnings (#1987)

reneleonhardt · web-flow · commit 17159d9b1581 · 2024-06-27T16:30:21.000+01:00
### 🐛 Fixes * Fix Gradle deprecations and warnings * Make coverage rules more lenient * Fix website vulnerabilities | Library | Vulnerability | Severity | |-|-|-| | braces | CVE-2024-4068 | HIGH | | express | CVE-2024-29041 | MEDIUM | | follow-redirects | CVE-2024-28849 | | | webpack-dev-middleware | CVE-2024-29180 | HIGH | | ws | CVE-2024-37890 | | ### 🧑‍💻 Improvements * Improve dependency management ### 🚧 TODO * Please test all updates and changes extensively to prepare for Kotlin 2 compatibility * Please try to restore the 3 skipped tests after Kotlin 1.9 upgrade * Anchor `#dispatching-by-level` doesn't exist anymore in website/docs/server/data-loader/data-loader-instrumentation.mdx * Old code should be reformatted so all those many exceptions can be removed from `.editorconfig
diff --git a/buildSrc/settings.gradle.kts b/buildSrc/settings.gradle.kts
@@ -1,3 +1,5 @@
+rootProject.name = "graphql-kotlin"
+
 dependencyResolutionManagement {
     versionCatalogs {
         create("libs") {
diff --git a/buildSrc/src/main/kotlin/com.expediagroup.graphql.conventions.gradle.kts b/buildSrc/src/main/kotlin/com.expediagroup.graphql.conventions.gradle.kts
@@ -35,7 +35,7 @@ tasks {
     }
     detekt {
         toolVersion = libs.versions.detekt.get()
-        config = files("${rootProject.projectDir}/detekt.yml")
+        config.setFrom(files("${rootProject.projectDir}/detekt.yml"))
     }
     ktlint {
         version.set(libs.versions.ktlint.core.get())
@@ -70,7 +70,7 @@ tasks {
     val dokka = named("dokkaJavadoc", DokkaTask::class)
     val javadocJar by registering(Jar::class) {
         archiveClassifier.set("javadoc")
-        from("$buildDir/dokka/javadoc")
+        from("${layout.buildDirectory}/dokka/javadoc")
         dependsOn(dokka)
     }
     publishing {
@@ -143,8 +143,9 @@ dependencies {
     implementation(libs.kotlin.reflect)
     implementation(libs.kotlinx.coroutines.jdk8)
     testImplementation(libs.kotlin.test)
+    testImplementation(platform(libs.junit.bom))
+    testImplementation("org.junit.jupiter:junit-jupiter")
+    testRuntimeOnly("org.junit.platform:junit-platform-launcher")
     testImplementation(libs.kotlin.junit.test)
-    testImplementation(libs.junit.api)
-    testImplementation(libs.junit.engine)
     testImplementation(libs.mockk)
 }
diff --git a/clients/graphql-kotlin-spring-client/src/test/kotlin/com/expediagroup/graphql/client/spring/GraphQLWebClientTest.kt b/clients/graphql-kotlin-spring-client/src/test/kotlin/com/expediagroup/graphql/client/spring/GraphQLWebClientTest.kt
@@ -475,7 +475,7 @@ class GraphQLWebClientTest {
                 client.execute(HelloWorldQuery())
             }
         }
-        assertEquals(500, error.rawStatusCode)
+        assertEquals(500, error.statusCode.value())
         assertEquals("Internal server error", error.responseBodyAsString)
     }
 
diff --git a/examples/buildSrc/src/main/kotlin/com.expediagroup.graphql.examples.conventions.gradle.kts b/examples/buildSrc/src/main/kotlin/com.expediagroup.graphql.examples.conventions.gradle.kts
@@ -23,8 +23,6 @@ dependencies {
     implementation(libs.kotlinx.coroutines.jdk8)
     implementation(libs.icu)
     testImplementation(libs.kotlin.junit.test)
-    testImplementation(libs.junit.api)
-    testImplementation(libs.junit.engine)
 }
 
 tasks.withType<KotlinCompile> {
diff --git a/executions/graphql-kotlin-automatic-persisted-queries/build.gradle.kts b/executions/graphql-kotlin-automatic-persisted-queries/build.gradle.kts
@@ -15,12 +15,12 @@ tasks {
                 limit {
                     counter = "INSTRUCTION"
                     value = "COVEREDRATIO"
-                    minimum = "0.95".toBigDecimal()
+                    minimum = "0.85".toBigDecimal()
                 }
                 limit {
                     counter = "BRANCH"
                     value = "COVEREDRATIO"
-                    minimum = "0.90".toBigDecimal()
+                    minimum = "0.80".toBigDecimal()
                 }
             }
         }
diff --git a/generator/graphql-kotlin-federation/build.gradle.kts b/generator/graphql-kotlin-federation/build.gradle.kts
@@ -12,7 +12,11 @@ dependencies {
     api(libs.graphql.java)
     testImplementation(libs.reactor.core)
     testImplementation(libs.reactor.extensions)
-    testImplementation(libs.junit.params)
+    constraints {
+        implementation(libs.commons.codec) {
+            because("Cxeb68d52e-5509: Apache commons-codec before 1.13 is vulnerable to information exposure. https://devhub.checkmarx.com/cve-details/Cxeb68d52e-5509/")
+        }
+    }
 }
 
 tasks {
diff --git a/generator/graphql-kotlin-schema-generator/build.gradle.kts b/generator/graphql-kotlin-schema-generator/build.gradle.kts
@@ -10,7 +10,6 @@ dependencies {
     implementation(libs.classgraph)
     implementation(libs.slf4j)
     testImplementation(libs.rxjava)
-    testImplementation(libs.junit.params)
 }
 
 tasks {
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -24,14 +24,17 @@ slf4j = "2.0.13"
 spring = "6.1.10"
 spring-boot = "3.3.1"
 
+# security vulnerabilities overrides
+commons-codec = { strictly = "[1.13, 2[", prefer = "1.16.0" }
+
 # test dependencies
 compile-testing = "0.5.0"
 icu = "75.1"
 junit = "5.10.2"
 logback = "1.5.6"
 mockk = "1.13.11"
 rxjava = "3.1.8"
-wiremock = "3.6.0"
+wiremock = "3.7.0"
 
 # plugins
 detekt = "1.23.6"
@@ -84,13 +87,16 @@ spring-boot-webflux = { group = "org.springframework.boot", name = "spring-boot-
 spring-webflux = { group = "org.springframework", name = "spring-webflux", version.ref = "spring" }
 spring-context = { group = "org.springframework", name = "spring-context", version.ref = "spring" }
 
+# security vulnerabilities overrides
+commons-codec = { group = "commons-codec", name = "commons-codec", version.ref = "commons-codec" }
+
 # test dependencies
 compile-testing = { group = "dev.zacsweers.kctfork", name = "core", version.ref = "compile-testing" }
 icu = { group = "com.ibm.icu", name = "icu4j", version.ref = "icu" }
 logback = { group = "ch.qos.logback", name = "logback-classic", version.ref = "logback" }
 junit-api = { group = "org.junit.jupiter", name = "junit-jupiter-api", version.ref = "junit" }
+junit-bom = { group = "org.junit", name = "junit-bom", version.ref = "junit" }
 junit-engine = { group = "org.junit.jupiter", name = "junit-jupiter-engine", version.ref = "junit" }
-junit-params = { group = "org.junit.jupiter", name = "junit-jupiter-params", version.ref = "junit" }
 kotlin-junit-test = { group = "org.jetbrains.kotlin", name = "kotlin-test-junit5", version.ref = "kotlin" }
 kotlin-annotation-processing = { group = "org.jetbrains.kotlin", name = "kotlin-annotation-processing-embeddable", version.ref = "kotlin" }
 kotlin-compiler = { group = "org.jetbrains.kotlin", name = "kotlin-compiler-embeddable", version.ref = "kotlin" }
diff --git a/integration/graalvm/spring-graalvm-server/build.gradle.kts b/integration/graalvm/spring-graalvm-server/build.gradle.kts
@@ -12,7 +12,6 @@ plugins {
 dependencies {
     implementation("com.expediagroup", "graphql-kotlin-spring-server")
     implementation(projects.commonGraalvmServer)
-    testImplementation(libs.junit.api)
     testImplementation(libs.kotlin.test)
     testImplementation(libs.spring.boot.test)
 }
diff --git a/integration/gradle-plugin-integration-tests/client-generator/custom-scalars-jackson/build.gradle.kts b/integration/gradle-plugin-integration-tests/client-generator/custom-scalars-jackson/build.gradle.kts
@@ -15,8 +15,6 @@ dependencies {
     implementation("com.expediagroup:graphql-kotlin-spring-server")
     implementation(libs.icu)
     testImplementation(libs.kotlin.junit.test)
-    testImplementation(libs.junit.api)
-    testImplementation(libs.junit.engine)
     testImplementation(libs.spring.boot.test)
 }
 
diff --git a/integration/gradle-plugin-integration-tests/client-generator/custom-scalars-kotlinx/build.gradle.kts b/integration/gradle-plugin-integration-tests/client-generator/custom-scalars-kotlinx/build.gradle.kts
@@ -17,8 +17,6 @@ dependencies {
     implementation(libs.ktor.server.cio)
     implementation(libs.ktor.server.netty)
     implementation(libs.logback)
-    testImplementation(libs.junit.api)
-    testImplementation(libs.junit.engine)
     testImplementation(libs.kotlin.junit.test)
     testImplementation(libs.ktor.server.test.host)
 }
diff --git a/integration/gradle-plugin-integration-tests/client-generator/ktor-jackson/build.gradle.kts b/integration/gradle-plugin-integration-tests/client-generator/ktor-jackson/build.gradle.kts
@@ -18,8 +18,6 @@ dependencies {
     implementation(libs.ktor.server.cio)
     implementation(libs.ktor.server.netty)
     implementation(libs.logback)
-    testImplementation(libs.junit.api)
-    testImplementation(libs.junit.engine)
     testImplementation(libs.kotlin.junit.test)
     testImplementation(libs.ktor.server.test.host)
 }
diff --git a/integration/gradle-plugin-integration-tests/client-generator/ktor-kotlinx/build.gradle.kts b/integration/gradle-plugin-integration-tests/client-generator/ktor-kotlinx/build.gradle.kts
@@ -16,8 +16,6 @@ dependencies {
     implementation(libs.ktor.server.cio)
     implementation(libs.ktor.server.netty)
     implementation(libs.logback)
-    testImplementation(libs.junit.api)
-    testImplementation(libs.junit.engine)
     testImplementation(libs.kotlin.junit.test)
     testImplementation(libs.ktor.server.test.host)
 }
diff --git a/integration/gradle-plugin-integration-tests/client-generator/polymorphic-types-jackson/build.gradle.kts b/integration/gradle-plugin-integration-tests/client-generator/polymorphic-types-jackson/build.gradle.kts
@@ -12,8 +12,6 @@ dependencies {
     implementation("com.expediagroup:graphql-kotlin-spring-client")
     implementation("com.expediagroup:graphql-kotlin-spring-server")
     testImplementation(libs.kotlin.junit.test)
-    testImplementation(libs.junit.api)
-    testImplementation(libs.junit.engine)
     testImplementation(libs.spring.boot.test)
 }
 
diff --git a/integration/gradle-plugin-integration-tests/client-generator/polymorphic-types-kotlinx/build.gradle.kts b/integration/gradle-plugin-integration-tests/client-generator/polymorphic-types-kotlinx/build.gradle.kts
@@ -14,8 +14,6 @@ dependencies {
     implementation(libs.ktor.server.core)
     implementation(libs.ktor.server.cio)
     implementation(libs.ktor.server.netty)
-    testImplementation(libs.junit.api)
-    testImplementation(libs.junit.engine)
     testImplementation(libs.kotlin.junit.test)
     testImplementation(libs.ktor.server.test.host)
 }
diff --git a/integration/gradle-plugin-integration-tests/client-generator/skip-include/build.gradle.kts b/integration/gradle-plugin-integration-tests/client-generator/skip-include/build.gradle.kts
@@ -13,8 +13,6 @@ dependencies {
     implementation("com.expediagroup:graphql-kotlin-spring-client")
     implementation("com.expediagroup:graphql-kotlin-spring-server")
     implementation(libs.icu)
-    testImplementation(libs.junit.api)
-    testImplementation(libs.junit.engine)
     testImplementation(libs.kotlin.junit.test)
     testImplementation(libs.spring.boot.test)
 }
diff --git a/integration/gradle-plugin-integration-tests/client-generator/webclient-jackson/build.gradle.kts b/integration/gradle-plugin-integration-tests/client-generator/webclient-jackson/build.gradle.kts
@@ -12,8 +12,6 @@ plugins {
 dependencies {
     implementation("com.expediagroup:graphql-kotlin-spring-client")
     implementation("com.expediagroup:graphql-kotlin-spring-server")
-    testImplementation(libs.junit.api)
-    testImplementation(libs.junit.engine)
     testImplementation(libs.kotlin.junit.test)
     testImplementation(libs.spring.boot.test)
 }
diff --git a/integration/gradle-plugin-integration-tests/client-generator/webclient-kotlinx/build.gradle.kts b/integration/gradle-plugin-integration-tests/client-generator/webclient-kotlinx/build.gradle.kts
@@ -17,8 +17,6 @@ dependencies {
     }
     implementation("com.expediagroup", "graphql-kotlin-client-serialization")
     implementation("com.expediagroup", "graphql-kotlin-spring-server")
-    testImplementation(libs.junit.api)
-    testImplementation(libs.junit.engine)
     testImplementation(libs.kotlin.junit.test)
     testImplementation(libs.spring.boot.test)
 }
diff --git a/integration/maven-plugin-integration-tests/integration/basic-setup/pom.xml b/integration/maven-plugin-integration-tests/integration/basic-setup/pom.xml
@@ -123,7 +123,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
-                <version>3.0.0-M4</version>
+                <version>3.3.0</version>
                 <configuration>
                     <systemPropertyVariables>
                         <buildDirectory>${project.build.directory}</buildDirectory>
diff --git a/plugins/client/graphql-kotlin-client-generator/build.gradle.kts b/plugins/client/graphql-kotlin-client-generator/build.gradle.kts
@@ -24,11 +24,15 @@ dependencies {
     testImplementation(libs.wiremock.lib)
     testImplementation(libs.compile.testing)
     testImplementation(libs.icu)
-    testImplementation(libs.junit.params)
     // compile testing workaround -> explicit dependencies for compiler/annotation-processing
     testImplementation(libs.kotlin.annotation.processing)
     testImplementation(libs.kotlin.compiler)
     testImplementation(libs.kotlin.serialization)
+    constraints {
+        implementation(libs.commons.codec) {
+            because("Cxeb68d52e-5509: Apache commons-codec before 1.13 is vulnerable to information exposure. https://devhub.checkmarx.com/cve-details/Cxeb68d52e-5509/")
+        }
+    }
 }
 
 tasks {
diff --git a/plugins/graphql-kotlin-gradle-plugin/build.gradle.kts b/plugins/graphql-kotlin-gradle-plugin/build.gradle.kts
@@ -16,7 +16,6 @@ dependencies {
     compileOnly(projects.graphqlKotlinGraalvmMetadataGenerator)
 
     testImplementation(libs.wiremock.lib)
-    testImplementation(libs.junit.params)
 }
 
 java {
@@ -42,7 +41,7 @@ gradlePlugin {
 
 val generateDefaultVersion by tasks.registering {
     val fileName = "PluginVersion.kt"
-    val defaultVersionFile = File("$buildDir/generated/src/com/expediagroup/graphql/plugin/gradle", fileName)
+    val defaultVersionFile = layout.buildDirectory.dir("generated/src/com/expediagroup/graphql/plugin/gradle").get().file(fileName).asFile
 
     inputs.property(fileName, project.version)
     outputs.dir(defaultVersionFile.parent)
diff --git a/plugins/schema/graphql-kotlin-sdl-generator/build.gradle.kts b/plugins/schema/graphql-kotlin-sdl-generator/build.gradle.kts
@@ -50,12 +50,12 @@ tasks {
     jacocoTestReport {
         dependsOn(testing.suites.named("integrationTest"))
         // we need to explicitly add integrationTest coverage info
-        executionData.setFrom(fileTree(buildDir).include("/jacoco/*.exec"))
+        executionData.setFrom(fileTree(layout.buildDirectory).include("/jacoco/*.exec"))
     }
     jacocoTestCoverageVerification {
         dependsOn(testing.suites.named("integrationTest"))
         // we need to explicitly add integrationTest coverage info
-        executionData.setFrom(fileTree(buildDir).include("/jacoco/*.exec"))
+        executionData.setFrom(fileTree(layout.buildDirectory).include("/jacoco/*.exec"))
         violationRules {
             rule {
                 limit {
diff --git a/plugins/server/graphql-kotlin-graalvm-metadata-generator/build.gradle.kts b/plugins/server/graphql-kotlin-graalvm-metadata-generator/build.gradle.kts
@@ -49,12 +49,12 @@ tasks {
     jacocoTestReport {
         dependsOn(testing.suites.named("integrationTest"))
         // we need to explicitly add integrationTest coverage info
-        executionData.setFrom(fileTree(buildDir).include("/jacoco/*.exec"))
+        executionData.setFrom(fileTree(layout.buildDirectory).include("/jacoco/*.exec"))
     }
     jacocoTestCoverageVerification {
         dependsOn(testing.suites.named("integrationTest"))
         // we need to explicitly add integrationTest coverage info
-        executionData.setFrom(fileTree(buildDir).include("/jacoco/*.exec"))
+        executionData.setFrom(fileTree(layout.buildDirectory).include("/jacoco/*.exec"))
         violationRules {
             rule {
                 limit {
diff --git a/servers/graphql-kotlin-ktor-server/build.gradle.kts b/servers/graphql-kotlin-ktor-server/build.gradle.kts
@@ -17,6 +17,11 @@ dependencies {
     testImplementation(libs.ktor.client.websockets)
     testImplementation(libs.ktor.server.cio)
     testImplementation(libs.ktor.server.test.host)
+    constraints {
+        implementation(libs.commons.codec) {
+            because("Cxeb68d52e-5509: Apache commons-codec before 1.13 is vulnerable to information exposure. https://devhub.checkmarx.com/cve-details/Cxeb68d52e-5509/")
+        }
+    }
 }
 
 tasks {
diff --git a/website/package-lock.json b/website/package-lock.json
diff --git a/website/package.json b/website/package.json

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+rootProject.name = "graphql-kotlin"`
	`2`	`+`
`1`	`3`	`dependencyResolutionManagement {`
`2`	`4`	`versionCatalogs {`
`3`	`5`	`create("libs") {`
Original file line number	Diff line number	Diff line change
`@@ -475,7 +475,7 @@ class GraphQLWebClientTest {`
`475`	`475`	`client.execute(HelloWorldQuery())`
`476`	`476`	`}`
`477`	`477`	`}`
`478`		`- assertEquals(500, error.rawStatusCode)`
	`478`	`+ assertEquals(500, error.statusCode.value())`
`479`	`479`	`assertEquals("Internal server error", error.responseBodyAsString)`
`480`	`480`	`}`
`481`	`481`
Original file line number	Diff line number	Diff line change
`@@ -23,8 +23,6 @@ dependencies {`
`23`	`23`	`implementation(libs.kotlinx.coroutines.jdk8)`
`24`	`24`	`implementation(libs.icu)`
`25`	`25`	`testImplementation(libs.kotlin.junit.test)`
`26`		`- testImplementation(libs.junit.api)`
`27`		`- testImplementation(libs.junit.engine)`
`28`	`26`	`}`
`29`	`27`
`30`	`28`	`tasks.withType<KotlinCompile> {`
Original file line number	Diff line number	Diff line change
`@@ -15,12 +15,12 @@ tasks {`
`15`	`15`	`limit {`
`16`	`16`	`counter = "INSTRUCTION"`
`17`	`17`	`value = "COVEREDRATIO"`
`18`		`- minimum = "0.95".toBigDecimal()`
	`18`	`+ minimum = "0.85".toBigDecimal()`
`19`	`19`	`}`
`20`	`20`	`limit {`
`21`	`21`	`counter = "BRANCH"`
`22`	`22`	`value = "COVEREDRATIO"`
`23`		`- minimum = "0.90".toBigDecimal()`
	`23`	`+ minimum = "0.80".toBigDecimal()`
`24`	`24`	`}`
`25`	`25`	`}`
`26`	`26`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,6 @@ dependencies {`
`10`	`10`	`implementation(libs.classgraph)`
`11`	`11`	`implementation(libs.slf4j)`
`12`	`12`	`testImplementation(libs.rxjava)`
`13`		`- testImplementation(libs.junit.params)`
`14`	`13`	`}`
`15`	`14`
`16`	`15`	`tasks {`
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,6 @@ plugins {`
`12`	`12`	`dependencies {`
`13`	`13`	`implementation("com.expediagroup", "graphql-kotlin-spring-server")`
`14`	`14`	`implementation(projects.commonGraalvmServer)`
`15`		`- testImplementation(libs.junit.api)`
`16`	`15`	`testImplementation(libs.kotlin.test)`
`17`	`16`	`testImplementation(libs.spring.boot.test)`
`18`	`17`	`}`
Original file line number	Diff line number	Diff line change
`@@ -15,8 +15,6 @@ dependencies {`
`15`	`15`	`implementation("com.expediagroup:graphql-kotlin-spring-server")`
`16`	`16`	`implementation(libs.icu)`
`17`	`17`	`testImplementation(libs.kotlin.junit.test)`
`18`		`- testImplementation(libs.junit.api)`
`19`		`- testImplementation(libs.junit.engine)`
`20`	`18`	`testImplementation(libs.spring.boot.test)`
`21`	`19`	`}`
`22`	`20`